Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3368 [Umbrella] YARN web UI: Next generation
  3. YARN-7338

Support same origin policy for cross site scripting prevention.

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.9.0, 3.0.0, 3.1.0
    • yarn-ui-v2
    • None
    • Reviewed

    Description

      Opening jira as suggested b eyang on the thread for merging YARN-3368 (new web UI) to branch2 http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E

      ----------
      Ui2 does not seem to support same origin policy for cross site scripting prevention.
      The following parameters has no effect for /ui2:

      hadoop.http.cross-origin.enabled = true
      yarn.resourcemanager.webapp.cross-origin.enabled = true

      This is because ui2 is designed as a separate web application. WebFilters setup for existing resource manager doesn’t apply to the new web application.
      Please open JIRA to track the security issue and resolve the problem prior to backporting this to branch-2.
      This would minimize the risk to open up security hole in branch-2.

      ----------

      Attachments

        1. YARN-7338.001.patch
          2 kB
          Sunil G

        Issue Links

          blocks

          Sub-task - The sub-task of the issue YARN-7169 Backport new yarn-ui to branch2 code (starting with YARN-5355_branch2)

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              sunilg Sunil G
              vrushalic Vrushali C
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: